.NET applications operate under a given trust level. Normal desktop applications operate under full trust, while web applications that are hosted in shared environments are normally run under the partial trust level (also known as “medium trust”). Some hosting providers host shared applications in their own app pools and allow the application to run under full trust, but this configuration is relatively rare. The Connector/Net support for partial trust has improved over time to simplify the configuration and deployment process for hosting providers.
The partial trust support for Connector/Net has improved rapidly throughout the 6.5.x and 6.6.x versions. The latest enhancements do require some configuration changes in existing deployments. Here is a summary of the changes for each version.
Now you can install the
library in the Global Assembly Cache (GAC) as explained in
Section 18.104.22.168.2, “Configuring Partial Trust with Connector/Net Library Installed in GAC”, or in a
lib folder inside
the project or solution as explained in
Section 22.214.171.124.3, “Configuring Partial Trust with Connector/Net Library Not Installed in
GAC”. If the
library is not in the GAC, the only protocol supported is
Connector/Net 6.5 fully enables our provider to run in a partial
trust environment when the library is installed in the Global
Assembly Cache (GAC). The new
MySqlClientPermission class, derived from the
DBDataPermission class, helps to
simplify the permission setup.
Starting with these versions, Connector/Net can be used under
partial trust hosting that has been modified to allow the use of
sockets for communication. By default, partial trust does not
SocketPermission. Connector/Net uses
sockets to talk with the MySQL server, so the hosting provider
must create a new trust level that is an exact clone of partial
trust but that has the following permissions added:
Connector/Net versions prior to 5.0.8 and 5.1.3 were not compatible with partial trust hosting.
If the library is installed in the GAC, you must include the
in your connection string. This is a new requirement as of
The following list shows steps and code fragments needed to run a Connector/Net application in a partial trust environment. For illustration purposes, we use the Pipe Connections protocol in this example.
Install Connector/Net: version 6.6.1 or higher, or 6.5.4 or higher.
After installing the library, make the following configuration changes:
SecurityClasses section, add a
definition for the
class, including the version to use.
<configuration> <mscorlib> <security> <policy> <PolicyLevel version="1"> <SecurityClasses> .... <SecurityClass Name="MySqlClientPermission" Description="MySql.Data.MySqlClient.MySqlClientPermission, MySql.Data, Version=126.96.36.199, Culture=neutral, PublicKeyToken=c5687fc88969c44d" />
Scroll down to the
<PermissionSet class="NamedPermissionSet" version="1" Name="ASP.Net">
Add a new entry for the detailed configuration of the
<IPermission class="MySqlClientPermission" version="1" Unrestricted="true"/>
Note: This configuration is the most generalized way that includes all keywords.
Configure the MySQL server to accept pipe connections, by
--enable-named-pipe option on
the command line. If you need more information about this,
see Section 2.3, “Installing MySQL on Microsoft Windows”.
Confirm that the hosting provider has installed the
Connector/Net library (
in the GAC.
Optionally, the hosting provider can avoid granting
permissions globally by using the new
MySqlClientPermission class in the trust
policies. (The alternative is to globally enable the
Create a simple web application using Visual Studio 2010.
Add the reference in your application for the
web.config file so that your
application runs using a Medium trust level:
<system.web> <trust level="Medium"/> </system.web>
to your server-code page.
Define the connection string, in slightly different ways depending on the Connector/Net version.
Only for 6.6.4 or later: To
use the connections inside any web application that will run
in Medium trust, add the new
includesecurityasserts option to the
includesecurityasserts=true that makes
the library request the following permissions when required:
SecurityPermissions among others that are
not granted in Medium trust levels.
For Connector/Net 6.6.3 or earlier: No special setting for security is needed within the connection string.
MySqlConnectionStringBuilder myconnString = new MySqlConnectionStringBuilder("server=localhost;User Id=root;database=test;"); myconnString.PipeName = "MySQL55"; myconnString.ConnectionProtocol = MySqlConnectionProtocol.Pipe; // Following attribute is a new requirement when the library is in the GAC. // Could also be done by adding includesecurityasserts=true; to the string literal // in the constructor above. // Not needed with Connector/Net 6.6.3 and earlier. myconnString.IncludeSecurityAsserts = true;
MySqlConnection to use:
MySqlConnection myconn = new MySqlConnection(myconnString.ConnectionString); myconn.Open();
Retrieve some data from your tables:
MySqlCommand cmd = new MySqlCommand("Select * from products", myconn); MySqlDataAdapter da = new MySqlDataAdapter(cmd); DataSet1 tds = new DataSet1(); da.Fill(tds, tds.Tables.TableName); GridView1.DataSource = tds; GridView1.DataBind(); myconn.Close()
Run the program. It should execute successfully, without requiring any special code or encountering any security problems.
When deploying a web application to a Shared Hosted environment,
where this environment is configured to run all their .NET
applications under a partial or medium trust level, you might
not be able to install the Connector/Net library in the GAC.
Instead, you put a reference to the library in the
lib folder inside
the project or solution. In this case, you configure the
security in a different way than when the library is in the GAC.
Connector/Net is commonly used by applications that run in Windows environments where the default communication for the protocol is used via sockets or by TCP/IP. For this protocol to operate is necessary have the required socket permissions in the web configuration file as follows:
Open the medium trust policy web configuration file, which should be under this folder:
Framework64 in the path instead of
Framework if you are using a 64-bit
installation of the framework.
<SecurityClass Name="SocketPermission" Description="System.Net.SocketPermission, System, Version=188.8.131.52, Culture=neutral, PublicKeyToken=b77a5c561934e089"/>
Scroll down and look for the following
<PermissionSet version="1" Name="ASP.Net">
Add the following inside this
<IPermission class="SocketPermission" version="1" Unrestricted="true" />
This configuration lets you use the driver with the default Windows protocol TCP/IP without having any security issues. This approach only supports the TCP/IP protocol, so you cannot use any other type of connection.
Also, since the
class is not added to the medium trust policy, you cannot
use it. This configuration is the minimum required in order
to work with Connector/Net without the GAC.